Link Search Menu Expand Document


The purpose of the RMF is to help ensure that, throughout the SDLC, information systems, organizations, and individuals are adequately protected, and that authorizing officials have the information needed to make credible, risk-based decisions regarding the operation or use of systems or the provision of common controls. A key aspect of risk-based decision making for authorizing officials is understanding the security and privacy posture of information systems and the common controls that are available for inheritance by those systems. The security and privacy posture represents the status of information systems and information resources (e.g., personnel, equipment, funds, and information technology) within an organization based on information assurance resources (e.g., people, hardware, software, policies, procedures) and the capabilities in place to manage the defense of the organization in its operation or use of systems; comply with applicable privacy requirements and manage privacy risks; and react as the situation changes.

The security and privacy posture of information systems and organizations is determined on an ongoing basis by assessing and continuously monitoring system-specific, hybrid, and common controls.44 The control assessments and monitoring activities provide evidence that the controls selected by the organization are implemented correctly, operating as intended, and satisfying the security and privacy requirements in response to laws, executive orders, regulations, directives, policies, standards, or mission and business requirements. Authorizing officials use the security and privacy posture to determine if the risk to organizational operations and assets, individuals, other organizations, or the Nation are acceptable based on the organization’s risk management strategy and organizational risk tolerance.45

44 Monitoring of controls is part of an organization-wide risk management approach defined in [SP 800-39].

45 See RMF Prepare-Organization Level step, Task P-2.